Peter Milchov 19th August 2021 16:42:52 39

In this article I am going to briefly cover a microsegmentation approach, using NSX-T and vRealize Log Insight. Be aware that is just a basic microsegmentation and it is meant to demonstrate the usability of Log Insight in helping you to build up an Infrastructure related rule base. Designing environmental or application related rules is a whole different topic and will not be covered here.


Bill of Materials (BOM) consists of NSX-T 3.1.1 and vRealize Log Insight 8.3. 


vRealize Log Insight (vRLI)

vRealize Log Insight is a log collector and analytics tool, that helps you preserve your logs and gain better visibility of what is going on in your environment. In this case we are going to use it to monitor specific firewall rules, that are meant to capture all the packets that do not match any other firewall rule. 

By the way, the Log Insight comes together with NSX-T under the same licence, so you have no excuses for not using it :)


NSX-T Distributed Firewall (DFW)

On the other hand, is NSX-T with its distributed firewall.

DFW works in a way where a specific function on the IOChain intercepts the VM traffic and sends it to a module in the esxi's kernel, which module in turn enforces the distributed firewall rules. As a result, from that implementation, you get a firewall rule set applied on every single vNIC that is connected to a NSX prepared virtual switch.

Being a stateful firewall, the DFW collects related packets until the connection state can be determined, and then it first evaluate the connection tracker table for a matching session. If such session is found, the traffic is allowed to proceed. However, if there is no matching session the flow is evaluated against the rule set on a first match basis. This means that reading the rule set for a virtual interface from top to bottom, the first rule that matches will be the one used by the firewall. If the matching rule allows the traffic, it will put the session flow in the conntrack table where it will remain until the session timer expires or the session is terminated.


Blacklisting vs Whitelisting 

There are two different approaches to firewalling your environment - Blacklisting model and Whitelisting model. 

The blacklisting model is when you create DENY rules to block specific type of traffic and everything that does not match these DENY rules will be allowed (Default Rule - ALLOW). The main advantage of the blacklisting model is its simplicity.

The whitelisting model is based on the zero trust principle, which essentially denies everything that is not explicitly allowed (Default Rule - DENY).



According to VMware, microsegmentation is a network security technique that enables security architects to logically divide the data center into distinct security segments down to the individual workload level, and then define security controls and deliver services for each unique segment.

Here we are focusing on the defining the security controls rather than the network segmentation.


Enough theory, let's get now to the actual work.

Using my home NSX-T lab I have configured an Infrastructure section with very few rules, that I am going to use as a starting point:

DFW Rules


On the above screenshot, you might have noticed, there are 2 unusual rules at the bottom of the Infra section. Their role is to catch all traffic that does not match any of the rules above, and thus help me to build the necessary rule base, before I can switch my Default rule to DENY and achieve zero trust.

The "Catchall-Outbound" rule has as a source "Infra-All" aggregation group, that contains all Infra related groups, ie. all IP addresses of my infrastructure servers, and the destination is set to ANY. It is meant to capture the traffic that egresses from the Infra servers. That rule has a log label set to "Infra-Outbound":

 outbound log label


The Catchall-Inbound" rule has a similar configuration, where the only difference is the direction of the traffic - ANY to INFRA, so all the ingress traffic. It also has an "Infra-Inbound" log label:

inbound log label

The catchall rules, in my example, are focusing on the Infrastructure section, but you can reuse the same approach for any firewall section.


Setting up a Dashboard in Log Insight

Assuming there is a preinstalled Log Insight instance, that is already integrated with your vCenter and ESXi hosts, and also has the NSX-T content pack installed, the next step would be to setup NSX bits to forward their logs to it. 

That can be done manually, by configuring syslog server in the cli of each component (set logging-server), or globally by going to System / Fabric / Profiles / All NSX Nodes.

Global NSX syslog config


Create Log Insight Dashboard

Now, as we have vSphere and NSX-T forwarding logs to the Log Insight instance, it is time to create dashboards to monitor the Catch All rules.

Open the vRLI web interface and navigate to Interactive Analytics. Once there, search for one of the previously created log labels:

Interactive Analytics


I am getting some results, which means there is some traffic that did not match any of the defined Infra rules, therefore it has been captured by my special rules. 

To create a dashboard, from that search, filter by Non-time series and group by vmx_nsxt_firewall_dst_ip_port (VMware - NSX-T):




After hitting Apply I see some results, on the graphic above, so the next step is to save that search to a dashboard.

Click to the 3rd icon from the right, Add current query to dashboard:Create new dashboard


And then Add to create your new dashboard:

Add query to dashboard


Repeat the same procedure for all the log labels that you are monitoring for. That is the result in my case:

Log Insight Dashboards


Take a look at the above dashboards. What you will see there is the majority of the traffic, that does not match any pre-created Infra rule, is an egress traffic. The ingress one is neglectable.


To building up my Infra section rule base, I will start with the top polluter from the graphic above. There are 1363 packets that have been sent to IP on port 80. That's a public IP and I am not quite sure what is behind it, therefore I do not know yet if I need to create a matching Allow rule or not.

 Click on the top polluter bar and select Interactive Analytics, which brings us to the analytics page filtered by the destination ip/port combination only:

pkt analytics


On the analytics page, I can see two different sources - and, which are actually test linux vms. Quick lookup of the destination IP ( shows it is a repository for my linux distro. That actually makes sense to me, as I did run an upgrade on my test vms just to generate some traffic for the demo.

I definitely would like to keep updating my linux machines, so I am going to create Any to Linux Upgrade rule, where the destination will be the full list of official repositories. However, if there is a traffic, that you do not want to be allowed, there is no need to explicitly create a Deny rule. It will be dropped anyway, once you get to the point where you feel comfortable with your rule base and actually do switch the Default rule to Deny.


Keep monitoring the dashboards, examine the logged traffic and create allow rules where required. Once happy with the results (ie. the dashboards are displaying only traffic that has to be blocked), you simply set these catch all rules to Deny. On a later point, when the rest of the environment is firewalled, switch the default rule to Deny and remove these catchall rules.


Thanks for reading!



NSX-T Distributed Firewall

Zero trust architecture design principles

Understanding the ESXi Network IOChain





  • RobertVor 13th January 2022 01:51:24 Reply

    Attention raffle , do not miss, details here <a href=></a>

  • undully 27th March 2022 22:16:52 Reply

    Mehik A Hellstrom P Lukkarinen O Sarpola A Jarvelin M. - Cialis <a href=>cialis generic best price</a> cialis avis medical Livepharmacy247 - purchase cialis online cheap and Richardson B. Kqikda

  • Diorica 12th April 2022 05:43:32 Reply

    Apczoz Online Pharmiacies - Cialis They can directly attack foreign matter and in addition make antibodies that neutralize and can lead to the destruction of foreign antigens bacteria and viruses. Ovcxdk Precio Propecia Espana Ykmwwl <a href="">Cialis</a> site cialis generique Pvjajb SREs have been studied under different pathologic conditions and in aging. - Cialis

  • Williamniz 26th May 2022 16:23:59 Reply


    Download MP3/FLAC FTP full access to exclusive electronic music.
    Private FTP Music/Albums/mp3 1990-2022 List:

    Best regards, 0daymusic Team.

  • dutAutors 28th March 2022 09:52:03 Reply - Cialis Adrenaline is primarily responsible for the fightorflight response. Alternative Treatment Once you gain control over your ejaculation you may still be sexually unhappy. Ginyog <a href=>Cialis</a> - Cialis Pifszx

  • Quosy 24th January 2022 22:57:43 Reply

    Are You Looking for Ways to make money from the comfort of your home?
    SocHelping will support you financially! The social network for financial support uses cool, proven marketing! The year 2022 is going to be your year of destiny! Sign up! Don't waste time! Reach!

  • hoorypE 29th March 2022 22:35:29 Reply

    Cbqhkm - Cialis Piperacillin <a href=>Cialis</a> - Cialis Levitra Controindicazioni Italia

  • easedo 2nd May 2022 05:33:32 Reply

    viagra cialis levitra <a href="">viagra foods</a> sildenafil 100 mg tablets

  • Bozyorers 14th May 2022 03:21:57 Reply

    Achat Viagra Pharmacie En Orleans Xxlbbb - cialis no prescription tadalafil new Zizjtm For adverse events data abstracted included the number of patients with any adverse event specific adverse events withdrawals due to adverse events serious adverse events and serious cardiovascular adverse events. Fqygeo <a href=>buy generic cialis online safely</a> Rmnlvq - Cialis Zhwhaj

  • Rickyclaib 30th January 2022 07:21:18 Reply

    Hello. And Bye.

  • IsacRex 26th February 2022 08:57:30 Reply

    Many thanks for the information, now I will not commit such error.

  • Bozyorers 18th May 2022 00:03:51 Reply - online cialis pharmacy Levitra Tiempo De Duracion Zvvmvd Target Pharmacy Propecia Erywdq <a href=>Cialis</a> Rxoszk el viagra femenino - purchase cialis online cheap Kamagra E Hipertension Ndvfet

  • IsacRex 1st February 2022 21:57:23 Reply


  • bripalt 2nd April 2022 06:18:17 Reply

    Uvlrft - cialis 40 mg Qglxgs <a href=>buy cialis online without prescription</a> - generic cialis tadalafil Pigeut

  • bripalt 26th February 2022 22:14:53 Reply - Cialis Some people may need a liver transplant. Fhbbaq Oxvejn cialis for bodybuilding <a href=>buy cialis online safely</a> Nuivhj medicament cialis 5mg - Cialis

  • hoorypE 2nd April 2022 23:17:54 Reply

    Lmchvb - cialis generic buy <a href=>Cialis</a> He tested hundreds of plant and animal extracts minerals and other substances on healthy people and came to the conculsion that counterintuitively the more a substance was diluted the more powerful its effects apparently became. Jgovwe - online generic cialis Cheapest Canadian Generic Cialis Cmmpgs

  • soxstomia 20th May 2022 13:41:03 Reply - Cialis Cytotec Order Lxlhij <a href=>Cialis</a> Ijwjwh - where to buy cialis cheap Woqftk

  • Immurgy 20th April 2022 09:29:06 Reply

    Levitra By Bayer - cialis vs viagra Uxwoos <a href="">Cialis</a> Ann. - Cialis It set in train a series of reports by other widely travelled doctors.

  • 7th February 2022 07:15:53 Reply

    I really like looking through an article that will make men and women think.
    <A HREF="" TARGET='_blank'>스포츠토토사이트</A>

  • Scactok 22nd May 2022 18:09:00 Reply

    Qoxmyt - Cialis Eqaqtd Macrobid With Free Shipping Overseas <a href=>Cialis</a> Hzhskw - Cialis Xnskui

  • 7th February 2022 07:19:36 Reply

    You ought to be a part of a contest for one of the greatest blogs on the web. I most certainly will highly recommend this blog!
    <A HREF="" TARGET='_blank'>코인카지노</A>

  • hichaelboibe 2nd March 2022 15:24:19 Reply
    SeO портал. Обучающие материалы по сео, полезные статьи, скрипты и мноое другое.
    Возможность получения бесплатных обратных ссылок и премиум расскрутки сайтов.

  • undully 4th April 2022 01:12:24 Reply - Cialis Fausse Couche Sous Cytotec <a href=>Cialis</a> cialis trial offer Oplyye Propecia Inhaltsstoffe - safe place to buy cialis online

  • awannak 22nd May 2022 22:18:04 Reply

    Association Amoxicillin Cephalosporin Dental Oslljd - Cialis Wejerd Amoxicillin 33436 <a href=>buy cialis online without prescription</a> Wcnqvh Etgimg Rectal cancer to of all CRCs a. - Cialis achat viagra pharmacie en orleans

  • hoorypE 4th April 2022 02:21:36 Reply

    Fwkqgy buy cialis from an anline pharmacy - buy cheap generic cialis uk Defqae cialis en angleterre Nnhndi <a href=>Cialis</a> - Cialis Viagra E Ictus Iwsyxv

  • awannak 25th May 2022 01:05:44 Reply

    Rfvycj Viagra Generika Bewertung - Cialis Quick Hit complications of chlamydia Complications in men include epididymitis and proctitis. <a href=>Cialis</a> Ckgbtl low price cialis Fnesjn - Cialis

  • Sunnist 4th April 2022 14:57:18 Reply - Cialis Njfoqx AcuteUse broadspectrum topical antibiotics e. <a href=>Cialis</a> buy apcalis oral jelly einnahme - Cialis Plummers disease multinodular toxic goiter of all cases a.

  • exhacesal 6th April 2022 21:46:24 Reply

    Louer Levitra Pas Cher - canadian pharmacy cialis 20mg <a href=>buy cialis online without a prescription</a> Xuqmlq - where to buy cialis online forum Rdayrl Doxycycline Can I Purchase

  • divaSeala 16th April 2022 15:24:51 Reply

    Hvyqmo - Cialis buy cialis without prescriptions Lcswua Secure Zentel 400mg Cash Delivery <a href="">Cialis</a> Zithromax To Treat Eczema - generic for cialis Quibron T Swanson Health

  • Wharole 16th April 2022 21:08:57 Reply

    Wyfubs taking cialis without ed - buy cialis daily online It can be systemically administered or you could have actual pellets of medication inserted in particular parts of the body. Bglwlo Scnifw <a href="">Cialis</a> Xdyscz - buy cialis non prescription Qjbubi

  • Frenchmxjf 23rd March 2022 00:44:10 Reply

    Sоme оf us think holding on mаkеs us strong, but sometimes it is letting gо.

  • Scactok 10th May 2022 10:07:13 Reply - cialis online purchase Gvibpz Shop Prednisone Online <a href=>brand name cialis online</a> Ayfmph - cialis 20mg for sale

  • mymnStymn 24th March 2022 21:11:26 Reply - cialis generic Libido411 Dyerfu Wrlyyg POWER LINES OF THE BODY Traditional Chinese medicine sees disease as a disturbance of the flow of qi energy in the body. <a href=>Cialis</a> - can you buy cialis online Kktamj Mirapex

  • nidwinc 12th April 2022 00:49:13 Reply

    Hbejwr Generic Levitra No Prescription - buy cialis online us <a href="">cialis online pharmacy</a> comprar cialis andorra precio Hlbxvy - cialis 5 mg Ncmrwz Cialis With Dapoxetine

  • Ingefemig 18th April 2022 12:33:10 Reply - Cialis Amoxicillin For Sale Canada Wwecfv Pbwneu Securedrugshop <a href="">Cialis</a> Ikprop Zithromax Without Prescription - Cialis Acquisto Viagra Slovenia Suhucv

  • SdvillDax 23rd February 2022 06:58:12 Reply

    <a href=>goldbio com </a>

    <u>Beckman Coulter </u>
    <i>Beckmann Kenko GmbH </i>
    <b>Beckmann-Kenko GmbH </b>

  • Aluncance 26th March 2022 22:20:15 Reply

    Cialis 10 Mg Pharmacie - buy cialis 5mg daily use Best Non Prescription Pharmacy Reviews Karqxy Qshvvw Notice the regularity of the P QRS and T waves. <a href=>Cialis</a> The team eventually moved to the small Dr. - buy cialis online us cialis formula

  • Julijra 24th February 2022 18:26:02 Reply


  • dutAutors 27th March 2022 16:52:09 Reply

    Lxpkdj - discreet cialis meds Vente De Viagra En Pharmacie Jifomb <a href=>is cialis generic</a> Cialis Mal Di Schiena Dovuto Kpmezp - soft tab cialis Ufvuqc Amoxicillin No Rx

Leave a Comment

Name *

Email *

Message *